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Abstract 

The  main  problem  in  model  checking  that  prevents  it  from  being  used  for  verification  of  large 
systems  is  the  state  explosion  problem.  This  problem  often  arises  from  combining  parallel  processes 
together.  Many  techniques  have  been  proposed  to  overcome  this  difficulty  and,  thus,  increase  the 
size  of  the  systems  that  model  checkers  can  handle.  We  describe  several  compositional  model 
checking  techniques  used  in  practice  and  show  a  few  examples  demonstrating  their  performance. 


This  research  is  sponsored  by  the  the  Semiconductor  Research  Corporation  (SRC)  under  Contract 
No.  97-DJ-294,  the  National  Science  Foundation  (NSF)  under  Grant  No.  CCR-9505472,  and  the  Defense 
Advanced  Research  Projects  Agency  (DARPA)  under  Contract  No.  DABT63-96-C-0071. 

Any  opinions,  findings  and  conclusions  or  recommendations  expressed  in  this  material  are  those  of  the 
authors  and  do  not  necessarily  reflect  the  views  of  SRC,  NSF,  DARPA,  or  the  United  States  Government. 
The  U.  S.  Government  is  authorized  to  reproduce  and  distribute  reprints  for  Government  purposes  notwith¬ 
standing  any  copyright  notation  thereon.  This  manuscript  is  submitted  for  publication  with  the  under¬ 
standing  that  the  U.  S.  Government  is  authorized  to  reproduce  and  distribute  reprints  for  Governmental 
purposes. 


19980310  120 


Keywords:  automatic  verification,  temporal  logic,  compositional  model  checking,  bisimulation 


1  Introduction 


Symbolic  model  checking  is  a  very  successful  method  for  verifying  complex  finite-state  reactive 
systems  [7].  It  models  a  computer  system  as  a  state-transition  graph.  Efficient  algorithms  are 
used  to  traverse  this  graph  and  determine  whether  various  properties  are  satisfied  by  the  model. 
By  using  BDDs  [5]  it  is  possible  to  verify  extremely  large  systems  having  as  many  as  10120  states. 
Several  systems  of  industrial  complexity  have  been  verified  using  this  technique.  These  systems 
include  parts  of  the  Futurebus-b  standard  [12,  19],  the  PCI  local  bus  [10,  20],  a  robotics  systems  [8] 
and  an  aircraft  controller  [9]. 

In  spite  of  such  success,  symbolic  model  checking  has  its  limitations.  In  some  cases  the  BDD 
representation  can  be  exponential  in  the  size  of  system  description.  This  behavior  is  called  the 
state  explosion  problem.  The  primary  cause  of  this  problem  is  parallel  composition  of  interacting 
processes.  The  problem  occurs  because  the  number  of  states  in  the  global  model  is  exponential  in 
the  number  of  component  processes.  Explicit  state  verifiers  suffer  from  the  state  explosion  problem 
more  severely  than  symbolic  verifiers.  However,  the  problem  afflicts  symbolic  verification  systems 
as  well,  preventing  them  from  being  applied  to  larger  and  more  complex  examples. 

The  state  explosion  can  be  alleviated  using  special  techniques  such  as  compositional  reasoning. 
This  method  verifies  each  component  of  the  system  in  isolation  and  allows  global  properties  to 
be  inferred  about  the  entire  system.  Efficient  algorithms  for  compositional  verification  can  extend 
the  applicability  of  formal  verification  methods  to  much  larger  and  more  interesting  examples.  In 
this  paper  we  describe  several  approaches  to  compositional  reasoning.  Some  are  automatic  and  are 
almost  completely  transparent  to  the  user.  Others  require  more  user  intervention  but  can  achieve 
better  results.  Each  is  well  suited  for  some  applications  while  not  so  efficient  for  others. 

For  example,  partitioned  transition  relations  [6]  and  lazy  parallel  composition  [11,  27]  are  auto¬ 
matic  and,  therefore,  preferred  in  cases  where  user  intervention  is  not  desired  (for  example,  when 
the  user  is  not  an  expert).  These  techniques  provide  a  way  to  compute  the  set  of  successors  (or 
predecessors)  of  a  state  set  without  constructing  the  transition  relation  of  the  global  system.  Both 
use  the  transition  relations  of  each  component  separately  during  traversal  of  the  state  graph.  The 
individual  results  are  combined  later  to  give  the  set  of  states  in  the  global  graph  that  corresponds 
to  the  result  of  the  operation  being  performed. 

Another  automatic  technique  is  based  on  the  use  of  interface  processes.  This  technique  at¬ 
tempts  to  minimize  the  global  state  transition  graph  by  focusing  on  the  communication  among  the 
component  processes.  The  method  considers  the  set  of  variables  used  in  the  interface  between  two 
components  and  minimizes  the  system  by  eliminating  events  that  do  not  relate  to  the  communi¬ 
cation  variables.  In  this  way,  properties  that  refer  to  the  interface  variables  are  preserved,  but  the 
model  becomes  smaller. 

Assume- guarantee  reasoning  [17]  is  a  manual  technique  that  verifies  each  component  separately. 
The  behavior  of  each  component  depends  on  the  behavior  of  the  rest  of  the  system,  i.e.,  its  en¬ 
vironment.  Because  of  this,  the  user  must  specify  properties  that  the  environment  has  to  satisfy 
in  order  to  guarantee  the  correctness  of  the  component.  These  properties  are  assumed.  If  these 
assumptions  are  satisfied,  the  component  will  satisfy  other  properties,  called  guarantees .  By  com¬ 
bining  the  set  of  assume/guarantee  properties  in  an  appropriate  way,  it  is  possible  to  demonstrate 
the  correctness  of  the  entire  system  without  constructing  the  global  state  graph. 

All  of  these  methods  have  been  used  to  verify  realistic  systems.  This  shows  that  composi¬ 
tional  reasoning  is  an  effective  method  for  increasing  the  applicability  of  model  checking  tools. 
Furthermore,  it  is  a  necessity  for  verification  of  many  complex  industrial  systems. 

The  remainder  of  this  paper  is  organized  as  follows:  Section  2  introduces  the  formal  model  that 
we  use  for  finite-state  systems  and  the  kinds  of  parallel  composition  we  consider.  Section  3  de¬ 
scribes  partitioned  transition  relations,  and  Section  4  discusses  lazy  parallel  composition.  Interface 
processes  and  assume-guarantee  reasoning  are  described  in  Sections  5  and  6,  respectively.  Finally, 
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tlie  paper  concludes  in  Section  7  with  a  summary  and  some  directions  for  future  research. 


2  The  Model 

<  n  lie  description  of  the  system  to  be  verified,  constructing  its  model  involves  two  important 
V,*TV  1  !>'  Hrst  is  constructing  the  model  for  the  individual  components.  The  second  is  composing 
th—  'id *tii<  *de|s  into  a  global  model.  We  start  by  showing  how  to  represent  each  component 
rv  >“1“  dl\  liiven  its  state-transition  graph.  Then  we  describe  the  parallel  composition  algorithm 
n ***  ■!  **•  • ' r *  a i < ■  the  global  model. 


2.1  Representing  a  Single  Component 

b  i,r'  td  a  state-transition  graph  symbolically  involves  determining  its  set  of  states  and  deriv- 
uu  Ur  transition  relation  of  the  graph  that  models  the  component.  Consider  a  system  with  a  set 
-I  \  »n  ild-  -  l  For  a  synchronous  circuit,  the  set  V  is  typically  the  outputs  of  all  the  registers  in 
III'  •  u  tilt  tour ther  with  the  primary  inputs.  In  the  case  of  an  asynchronous  circuit,  V  is  usually 
di-  ~  t  <*f  all  nodes.  For  a  protocol  or  software  system,  V  is  the  set  of  variables  in  the  program.  A 
-tii-  *  in  l»  drscribed  by  giving  values  to  all  the  variables  in  V .  Since  the  system  is  finite-state  we 
!  '  h  ■  *T  all  states  by  boolean  vectors.  Throughout  the  paper  we  assume  that  this  encoding  has 

•  »!r-  »■  l\  Im  i  II  done  and  that  all  variables  in  V  are  boolean.  Therefore,  a  state  can  be  described  by 
•i  v  ilii  iti-n  assigning  either  0  or  1  to  each  variable.  Given  a  valuation,  we  can  also  write  a  boolean 
'  \ I — i. >u  which  is  true  for  exactly  that  valuation.  For  example,  given  V  =  {v0,vi,v2}  and  the 
'■dii  »M'*n  < —  1,  ■< —  1,  vo  0).  we  derive  the  boolean  formula  v0  A  Vi  A  -1V2.  This  boolean 

I* Tin ul a  ran  then  be  represented  using  a  BDD. 

In  uriK-ml.  however,  a  boolean  formula  may  be  true  for  many  valuations.  If  we  adopt  the 
r.  .m *  nt  it m  that  a  formula  represents  the  set  of  all  valuations  that  make  it  true,  then  we  can 
d— ribi-  sets  of  states  by  boolean  formulas  and,  hence,  by  BDDs.  In  practice,  BDDs  are  often 
mudi  more  efficient  than  representing  sets  of  states  explicitly.  We  denote  sets  of  states  with  the 
h  Mit  .s’  and  we  denote  the  BDD  representing  the  set  S  by  5(F),  where  V  is  the  set  of  variables 
dial  the  BDD  may  depend  on.  We  also  use  /,  g, . . .  for  arbitrary  boolean  functions. 

In  addition  to  representing  sets  of  states  of  a  system,  we  must  be  able  to  represent  the  transitions 
that  the  system  can  make.  To  do  this,  we  extend  the  idea  used  above.  Instead  of  just  representing 
a  set  of  states  using  a  BDD,  we  represent  a  set  of  ordered  pairs  of  states.  We  cannot  do  this  using 
just  a  single  copy  of  the  state  variables,  so  we  create  a  second  set  of  variables  Vf .  We  think  of 
the  variables  in  V  as  current  state  variables  and  the  variables  in  V'  as  next  state  variables.  Each 
variable  v  in  V  has  a  corresponding  next  state  variable  in  V7,  which  we  denote  by  v'.  A  valuation 
for  the  variables  in  V  and  V '  can  be  viewed  as  an  ordered  pair  of  states,  and  we  represent  sets  of 
these  valuations  using  BDDs  as  above.  We  write  a  formula  that  is  true  iff  there  is  a  transition  from 
the  state  represented  by  V  to  the  state  represented  by  Vf .  For  example,  if  there  is  a  transition 
from  state  (v0  l,Vi  1,^2  4—  0)  to  state  (vo  l,Vi  f-  0,V2  <r-  1)  we  write  the  formula 
c0  A  Vi  A  ->v2  A  eg  A  -*v[  A  vf2.  The  disjunction  of  all  such  transitions  is  the  transition  relation  of  the 
model.  If  A  is  a  transition  relation,  then  we  write  A(V,  V')  to  denote  the  BDD  that  represents  it. 

2.2  Parallel  Composition 

The  technique  above  shows  how  to  construct  the  graph  that  models  one  component  of  the  sys¬ 
tem.  But  usually  systems  are  described  by  a  set  of  components  that  execute  concurrently.  For 
synchronous  or  asynchronous  circuits  the  components  are  the  smaller  circuits  that  are  connected  to¬ 
gether  to  construct  the  bigger  circuit.  For  protocols  or  programs  the  components  are  the  processes 
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that  execute  in  parallel. 

There  are  two  major  ways  of  composing  processes  or  systems:  synchronously  and  asynchronously. 
In  synchronous  composition  all  processes  execute  at  the  same  time,  one  step  in  one  process  corre¬ 
sponds  to  exactly  one  step  in  all  the  other  processes.  In  asynchronous  composition,  on  the  other 
hand,  only  one  process  executes  at  any  point  in  time.  When  one  process  steps  all  the  others  remain 
unchanged.  The  choice  of  which  process  steps  at  any  time  is  nondeterministic.  There  are  different 
algorithms  for  composing  synchronous  and  asynchronous  systems. 


Figure  1:  A  modulo  8  counter 


2.2.1  Synchronous  Systems 

The  method  for  deriving  the  transition  relation  of  a  synchronous  system  can  be  illustrated  using 
a  small  example.  Consider  the  circuit  of  a  modulo  8  counter  on  Fig.  1.  Let  V  =  {vo,Vi,V2}  be 
the  set  of  state  variables  for  this  circuit,  and  let  V1  =  be  another  copy  of  the  state 

variables.  The  transitions  of  the  modulo  8  counter  are  given  by 


^0  =  ~*Vq 

v[  =  ^0  0^1 

Vf2  =  (flo  A  t>i)  0  V2 

The  above  equations  can  be  used  to  define  the  relations 

N0(V,V')  =  (v'o&^vo) 

N^VX)  =  {v[^v0®vi) 

N2{V,V')  =  (vf2  O'  (vo  A  Vi)  0  v2) 

which  describe  the  constraints  each  v\  must  satisfy  in  a  legal  transition.  Each  constraint  can  be 
seen  as  a  separate  component,  and  their  composition  generates  the  counter.  These  constraints  can 
be  combined  by  taking  their  conjunction  to  form  the  transition  relation: 

N(V,  V‘)  =  N0(V,  V ')  A  Ni(V,  V')  A  N2(V,  V '). 

In  the  general  case  of  a  synchronous  system  with  n  components,  we  let  {TVq,  *  •  • ,  iVn-i}  be  the 
set  of  transition  relations  for  each  component.  Each  transition  relation  Ni  determines  the  values 
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of  a  subset  of  variables  in  V  in  the  next  state.  Analogous  to  the  modulo  8  counter,  the  conjunction 
of  these  relations  forms  the  transition  relation 

N(V,  V')  =  N0(V ,  V')  A  •  •  •  A  Nn-^V,  V‘). 

Thus,  the  transition  relation  for  a  synchronous  system  can  be  expressed  as  a  conjunction  of  rela¬ 
tions. 

Given  a  BDD  for  each  transition  relation  Ni,  it  is  possible  to  compute  the  BDD  that  represents 
N .  We  sav  that  such  a  transition  relation  is  monolithic  because  it  is  represented  by  a  single  BDD. 
Monolithic  transition  relations  are  the  primary  bottleneck  for  verification,  because  their  size  can 
be  exponential  in  the  number  of  equations  used  to  define  it. 


2.2.2  Asynchronous  Systems 

As  with  synchronous  systems,  the  transition  relation  for  an  asynchronous  system  can  be  expressed 
as  a  conjunction  of  relations.  Alternatively,  it  can  be  expressed  as  a  disjunction.  To  simplify  the 
description  of  how  such  transition  relations  are  obtained,  we  assume  that  all  the  components  of 
the  system  have  exactly  one  output  and  have  no  internal  state  variables.  In  this  case,  it  is  possible 
to  describe  completely  each  component  by  a  function  fi(V).  Given  values  for  the  present  state 
variables  v,  the  component  drives  its  output  to  the  value  specified  by  fi(V).  For  some  components, 
such  as  C-elements  and  flip-flops,  the  function  fi(V)  may  depend  on  the  current  value  of  the  output 
of  the  component,  as  well  as  the  inputs.  Extending  the  method  to  handle  components  with  multiple 
outputs  is  straightforward. 

In  speed-independent  asynchronous  systems,  there  can  be  an  arbitrary  delay  between  when  a 
transition  is  enabled  and  when  it  actually  occurs.  We  can  model  this  by  allowing  each  component 
to  choose  nondeterministically  whether  to  transition  or  not.  This  results  in  a  conjunction  of  n 
parts,  all  of  the  form 

Ti(V,  V)  =  (u'  O  MV))  V  K  *  Vi)- 

This  model  is  similar  to  the  synchronous  case  discussed  above,  and  allows  more  than  one  variable 
to  transition  concurrently. 

Normally,  we  will  use  an  interleaving  model  for  asynchronous  composition,  in  which  only  one 
variable  is  allowed  to  transition  at  a  time.  First,  we  apply  the  distributive  law  to  the  conjunction 
of  the  T{  s,  giving  a  disjunction  of  2n  terms: 


n 


AT‘ 


V  A 

bi,...bn  \i=  1 


v’i^9i-(V) 


where  all  bj ’s  are  indices  over  {0, 1}  and 


if  b  =  1 
if  b  =  0. 


Each  of  these  terms  f\  v[  o-  g^'{V)  corresponds  to  the  simultaneous  transitioning  of  some 
i—1 

subset  of  the  n  variables  in  the  model  for  which  bj  =  1.  Second,  we  keep  only  those  terms  that 
correspond  to  exactly  one  variable  being  allowed  to  transition  (that  is,  only  those  disjuncts  for 
which  the  vector  &i, . .  .,6n  contains  exactly  one  1).  This  results  in  a  disjunction  of  the  form 

N(  V,  V')  =  N0(V,V')V---VNn^(V,  V'), 
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where 


N,(V,  V ')  =  («'  ^  /<  (V))  A  /\(i$  ^  vj). 

Notice,  that  using  this  method  asynchronous  systems  are  composed  by  disjuncting  their  com¬ 
ponents,  while  synchronous  systems  are  composed  by  conjuncting  their  components. 


3  Partitioned  Transition  Relations 

Computing  the  image  or  pre-image  of  a  set  of  states  S  under  a  transition  relation  N  is  the  most 
important  operation  in  model  checking.  A  state  t  is  a  successor  of  s  under  N ,  if  there  is  a  transition 
from  s  to  t  or,  in  other  words,  N(s,  t)  holds.  The  image  of  a  set  of  states  S  is  the  set  of  all  successors 
of  S.  If  the  set  S  and  the  transition  relation  N  are  given  by  boolean  formulas,  then  the  image  of 
S  is  given  by  the  following  formula 


3V[S(V)AN(V,V')], 

where  3V  denotes  existential  quantification  over  all  variables  in  V .  This  formula  defines  the  set  of 
successors  in  terms  of  free  variables  V' .  Similarly,  a  state  s  is  a  predecessor  of  a  state  t  under  N 
iff  N(s,t)  is  true.  The  set  of  predecessors  of  a  state  set  S  is  described  by  the  formula 

3V'[S(V')  AN(V,V')]. 

Formulas  of  this  type  are  called  relational  products . 

While  it  is  possible  to  implement  the  relational  product  with  one  conjunction  and  a  series 
of  existential  quantifications,  in  practice  this  would  be  fairly  slow.  In  addition,  the  OBDD  for 
S(Vl)  A  N(V ,  Vf)  is  often  much  larger  than  the  OBDD  for  the  final  result,  and  we  would  like  to 
avoid  constructing  it  if  possible.  For  these  reasons,  we  use  a  special  algorithm  to  compute  the 
OBDD  for  the  relational  product  in  one  step  from  the  OBDDs  for  S  and  N.  Figure  2  gives  this 
algorithm  for  two  arbitrary  OBDDs  /  and  g. 

Like  many  OBDD  algorithms,  RelProd  uses  a  result  cache.  In  this  case,  entries  in  the  cache 
are  of  the  form  (/,  g,  E,  r),  where  E  is  a  set  of  variables  that  are  quantified  out  and  /,  g  and  r  are 
OBDDs.  If  such  an  entry  is  in  the  cache,  it  means  that  a  previous  call  to  RelProd(f,g ,  E)  returned 
r  as  its  result. 

Although  the  above  algorithm  works  well  in  practice,  it  has  exponential  complexity  in  the  worst 
case.  Most  of  the  situations  where  this  complexity  is  observed  are  cases  in  which  the  OBDD  for  the 
result  is  exponentially  larger  than  the  OBDDs  for  the  arguments  f(v)  and  g(v).  In  such  situations, 
any  method  of  computing  the  relational  product  must  have  exponential  complexity. 

In  the  previous  section  we  have  described  how  to  construct  the  global  transition  relation  N 
from  the  individual  transition  relations  Ni  of  the  component  processes.  However,  the  size  of  N 
can  be  significantly  larger  than  the  sum  of  the  sizes  of  all  Nt ;s.  Our  goal  is  to  be  able  to  compute 
relational  products  without  constructing  the  global  transition  relation  explicitly. 

3.1  Disjunctive  Partitioning 

The  global  transition  relation  of  an  asynchronous  system  may  be  written  as  the  disjunction  of  the 
transition  relations  for  the  individual  components  of  the  system.  In  this  case,  a  relational  product 
will  have  the  form 

ay'  [5W')  A  (No(V,  V')  V  •  •  •  V  Nn. i(V,  V'))] . 
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function  RelProd(f ,  g  :  OBDD ,  £? :  se£  o/  variables ) :  OBDD 

if  f  =  0\/  g  =  0 

return  0 

else  if/  —  1A#  —  1 

return  1 

else  if  (/,  g ,  £*,  r)  is  in  the  result  cache 

return  r 

else 

let  a?  be  the  top  variable  of  / 
let  y  be  the  top  variable  of  g 
let  z  be  the  topmost  of  x  and  y 
r0  :=  /?e/Prod(/|2^o,£|^o,£) 
ri  -=  RelProd(f\z+-1,g\2<-UE) 
if  zeE 

r  :=  Or(r0jr1) 

/*  OBDD  for  r0  V  ri  */ 

else 

r  :=  BDDnode(z,  ri,  ro) 

/*  OBDD  for  (z  A  r\)  V  (-iz  A  r0)  */ 

endif 

insert  (/,^,£?,r)  in  the  result  cache 
return  r 
endif 


Figure  2:  Relational  product  algorithm 


In  practice  computing  the  value  of  a  large  formula  with  many  quantifiers  is  usually  very  expensive. 
Since  the  existential  quantifier  distributes  over  disjunction  we  can  shrink  the  scope  of  the  quantifier 
to  the  individual  components: 

3V'  [S(V')  AWoWV7)]  V---V 
3V'  [S(V')  A  Nn^(V,V')] 

When  this  technique  is  used  it  is  possible  to  compute  relational  products  for  much  larger  asyn¬ 
chronous  systems. 

3.2  Conjunctive  Partitioning 

For  synchronous  systems,  a  relational  product  will  have  the  form 

3  V  [5(1/')  A  (N0(V,  V*) A ■ • • A  7V„_i(V  V '))] . 

Unfortunately,  existential  quantification  does  not  distribute  over  conjunction,  so  we  can  not  directly 
apply  the  same  transformation  as  in  the  asynchronous  case.  A  simple  counterexample  is 

3 a[(a  V  6)  A  (-<a  V  c)]  ^  3a [a  V  6]  A  3 a[-ia  V  c] 

since  it  reduces  to: 

[b  V  c]  ^  true. 

Nevertheless,  we  still  can  apply  partitioning  because  systems  often  exhibit  locality:  most  NjS 
depend  only  on  a  small  number  of  variables  in  V  and  V7.  Subformulas  can  be  moved  outside  of  the 
scope  of  existential  quantification  if  they  do  not  depend  on  any  of  the  variables  being  quantified: 

3a  [(a  V  b)  A  (b  V  c)]  =  3a  [a  V  ft]  A  (b  V  c) 

We  can  optimize  the  computation  of  a  relational  product  by  using  early  variable  elimination  for 
variables  in  each  N{.  First,  pick  an  order  p  for  considering  the  partitions  in  the  relational  product. 
Then  define  D{  to  be  the  set  of  variables  process  P{  depends  on,  and  E{  to  be  a  subset  of  D\ 
consisting  of  variables  that  no  process  later  in  the  ordering  depends  on,  i.e., 

n  — 1 

Ep{i)  =  Dp(i)-  (J  £>,(*). 

k=i+ 1 

We  will  illustrate  this  with  our  example  of  the  modulo  8  counter. 

No  =  (t?Q  <=>  -ivo)  depends  on  D0  =  {^o} 

Ni  =  O  vo  ©  Vi)  depends  on  D\  =  {uo,  ^1} 

N2  =  (v'2  &  (uo  A  vi)  0  V2)  depends  on  D2  =  {^o,  ^1,  ^2} 

If  we  choose  the  ordering  p  =  2, 1,0,  then  E2  =  =  {v\}  and  Eo  =  {^o}-  We  now  can 

transform  the  relational  product  to: 

Si(V,V')  =  3,e£(,(0)[5(W)A^(0)(KF')] 

Si(V,V')  =  ^[SifF.y'jA^djfF.F')] 

Sn(V')  =  [5n-i(^nAiVKn-i)(F,F')]. 
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Or  putting  it  all  together, 

3vrpt»-i,  [•  •  -  3^>(i)  [3^(o>  [ S(V )  A  Nm(V,  V')]  ANP{1)(V,  V')]  A  •  •  •  A  ^„_a)(V,  V')} 

^  "V  * 

5-1 

S - - - V - ' 

s2 


The  ordering  p  has  a  significant  impact  on  how  early  in  the  computation  state  variables  can  be 
quantified  out.  This  affects  the  size  of  the  BDDs  constructed  and  the  efficiency  of  the  verification 
procedure.  Thus,  it  is  important  to  choose  p  carefully,  just  as  with  the  BDD  variable  ordering.  For 
example,  a  badly  chosen  ordering  p~  0,1,2  for  the  same  modulo  8  counter  yields  E0  =  {},  E\  =  {} 
and  E2  —  V2},  which  results  in  no  optimization  at  all. 

In  practice,  we  have  found  it  fairly  easy  to  come  up  with  orderings  which  give  good  results. 
We  search  for  a  good  ordering  p  by  using  a  greedy  algorithm  to  find  a  good  ordering  on  the 
variables  Vi  to  be  eliminated.  For  each  ordering  on  the  variables,  there  is  an  obvious  ordering  on 
the  relations  AT,*  such  that  when  this  relation  ordering  is  used,  the  variables  can  be  eliminated  in 
the  order  given  by  the  greedy  algorithm. 

The  algorithm  on  fig.  3  gives  our  basic  greedy  technique.  We  start  with  the  set  of  variables  V 
to  be  eliminated  and  a  collection  C  of  sets  where  every  Di  EC  is  the  set  of  variables  on  which  Ni 
depends.  We  then  eliminate  the  variables  one  at  a  time  by  always  choosing  the  variable  with  the 
least  cost  and  then  updating  V  and  C  appropriately. 

while  (V  ±  (/))  do 

begin 

For  each  v  E  V  compute  the  cost  of  eliminating  v; 

Eliminate  variable  with  lowest  cost  by  updating  C  and  V ; 

end; 


Figure  3:  Algorithm  for  variable  elimination. 

All  that  remains  is  to  determine  the  cost  metric  to  use.  We  will  consider  three  different 
cost  measures.  To  simplify  our  discussion,  we  will  use  Nv  to  refer  to  the  relation  created  when 
eliminating  variable  v  by  taking  the  conjunction  of  all  the  N{  that  depend  on  v  and  then  quantifying 
out  v.  We  will  use  Dv  to  refer  to  the  set  of  variables  on  which  this  Nv  depends. 

minimum  size  The  cost  of  eliminating  a  variable  v  is  simply  \DV\.  With  this  cost  function, 
we  always  try  to  insure  that  the  new  relation  we  create  depends  on  the  fewest  number  of 
variables. 

minimum  increase  The  cost  of  eliminating  variable  v  is 

I Dv  I  —  max  \A\  +  1 

which  is  the  difference  between  the  size  of  Dv  and  the  size  of  the  largest  Di  containing  v. 
The  idea  is  that  if  we  have  a  lot  of  small  relations  that  all  share  one  variable,  then  we  do 
not  want  to  eliminate  that  variable,  since  this  may  result  in  a  big  Nv .  But  this  is  what  the 
previous  heuristic  would  suggest.  Instead,  the  minimum  increase  cost  will  favor  eliminating 
variables  that  are  shared  by  a  small  number  of  relations,  thus,  keeping  the  resulting  relation 
smaller.  In  other  words,  we  prefer  to  make  a  small  increase  in  the  size  of  an  already  large 
relation  than  to  create  a  new  large  relation. 
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minimum  sum  The  cost  of  eliminating  variable  v  is 

E  mi 

AEC,v6A 

which  is  simply  the  sum  of  the  sizes  of  all  the  D{  containing  v.  Since  the  cost  of  conjunction 
depends  on  the  sizes  of  the  arguments,  we  approximate  this  cost  by  the  number  of  variables 
on  which  each  of  the  argument  depends. 

The  overall  goal  is  to  minimize  the  size  of  the  largest  BDD  created  during  the  elimination 
process.  In  our  abstraction,  this  translates  to  finding  an  ordering  that  minimizes  the  size  of 
the  largest  set  Dv  created  during  the  process.  Always  making  a  locally  optimal  choice  does  not 
guarantee  an  optimal  solution  and  there  are  counterexamples  for  each  of  the  three  cost  functions. 
In  fact,  the  problem  of  finding  an  optimal  ordering  can  be  shown  to  be  NP-complete.  However, 
the  minimum  sum  cost  function  seems  to  provide  the  best  approximation  of  the  cost  of  the  actual 
BDD  operations  and  in  practice  has  the  best  performance  on  most  examples. 


4  Lazy  Parallel  Composition 


Lazy  parallel  composition  is  an  alternative  method  for  compositional  reasoning  that  can  be  related 
to  partitioned  transition  relations.  As  in  the  case  of  the  partitioned  transition  relations,  the 
global  transition  relation  is  never  constructed.  However,  in  contrast  to  the  previous  method,  a 
restricted  transition  relation  for  all  processes  is  created.  The  restricted  transition  relation  agrees 
with  the  global  transition  relation  for  ‘important7  states,  but  it  may  behave  in  a  different  way  for 
other  states.  The  advantage  comes  from  the  fact  that  in  many  cases  it  is  possible  to  construct  a 
restricted  transition  relation  that  is  significantly  smaller  than  the  global  transition  relation. 

There  are  many  possible  ways  of  constructing  a  restricted  transition  relation  that  would  produce 
correct  results.  Given  an  original  global  transition  relation  N  and  a  state  set  5,  the  computation 
of  the  set  of  successors  of  S  can  use  any  restricted  transition  relation  N 1  that  satisfies  the  following 
condition: 

N'\s  =  N\s 

The  formula  above  means  that  N  and  N*  agree  on  transitions  that  start  from  states  in  S .  It  is 
possible  to  represent  N'  with  significantly  fewer  nodes  than  N  in  some  cases  by  using  the  constrain 
operator  from  [14,  27].  For  two  boolean  formulas  /  and  g,  f  —  constrain(f, g)  is  a  formula  that 
has  the  same  truth  value  as  /  for  variable  assignments  that  satisfy  g.  If  the  variable  assignment 
does  not  satisfy  g ,  the  value  of  /'  can  be  arbitrary.  In  other  words: 


r 


/(*) 

don’t  care 


\fg{x) 

otherwise 


In  many  cases  the  size  of  /'  is  significantly  smaller  than  the  size  of  /. 

The  lazy  composition  algorithm  uses  the  constrain  operator  to  simplify  the  transition  relation 
of  each  process  before  generating  the  global  restricted  transition  relation.  When  computing  the 
set  of  successors  of  a  state  set  S  (represented  by  a  boolean  formula)  the  algorithm  computes 

Nf  =  constrain(Ni,  S). 

i=0..n 

Each  transition  N-  ~  constrain(Ni}  S)  agrees  with  Ni  on  transitions  that  start  in  S  by  the 
definition  of  the  constrain  operator.  As  a  consequence,  the  transition  relation  Nf  agrees  with  the 
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global  transition  relation  N  on  transitions  that  start  in  S  as  well.  Therefore,  computing  the  set  of 
successors  of  S  using  Nf  produces  the  same  result  as  using  N.  The  same  method  can  be  applied 
when  computing  the  set  of  predecessors  of  a  state  set  S.  Only  in  this  case  the  constrain  operator 
has  to  maintain  those  transitions  in  N  that  end  in  S. 

4.1  Partitioning  vs.  Lazy  Composition 

Lazy  parallel  composition  is  less  sensitive  to  the  order  in  which  variables  are  eliminated  than 
partitioned  transition  relations.  This  is  because  step  i  in  the  partitioned  transition  relation  depends 
on  step  7  —  1,  as  shown  below 

3vi  [3v0  [5(7')  A  Nq(V,  V ')]  ATVj (V,  V ')] . 

stepl 

^  ^  V 

step2 

As  a  consequence,  the  final  degree  of  partitioning  heavily  depends  on  the  order  in  which  we  quantify 
the  variables  out.  We  have  already  seen  an  example  of  such  dependency  in  section  3.2. 

The  lazy  parallel  composition,  on  the  other  hand,  processes  each  component  independently, 
and  thus,  does  not  depend  on  the  order  in  which  the  constrain  operators  are  applied: 

W  [ S(V ')  A  (N^V')  \SAN2(V,  V')  |*)]. 

stepl  step2 

We  have  implemented  the  lazy  composition  algorithm  and  obtained  significant  gains  in  both 
space  and  time.  The  verification  of  one  example  took  18  seconds  and  1  MB  of  memory  when  lazy 
composition  was  used.  The  same  example  took  about  the  same  amount  of  time  but  twice  as  much 
memory  when  partitioned  transition  relations  were  used.  If  neither  method  was  used,  verification 
required  more  than  40  seconds  and  12  MB.  A  significant  part  of  the  savings  in  both  methods 
results  from  not  constructing  the  global  transition  relation.  However,  lazy  parallel  composition 
often  requires  much  less  memory.  The  reason  seems  to  be  that  partitioned  transition  relations  are 
heavily  influenced  by  the  order  in  which  partitions  are  processed,  because  this  order  determines 
which  variables  can  or  cannot  be  quantified  out  early.  In  lazy  parallel  composition  this  does 
not  happen,  since  all  of  the  variables  are  quantified  out  at  the  same  time.  This  makes  it  less 
susceptible  to  the  order  in  which  partitions  are  processed,  and  more  suitable  to  be  used  in  the 
cases  in  which  determining  the  processing  order  can  be  difficult.  It  also  makes  the  new  technique 
easier  to  automate. 


5  Interface  Processes 

An  important  observation  leads  to  another  approach  to  compositional  verification.  The  state 
explosion  problem  is  usually  most  severe  for  loosely  coupled  processes  which  communicate  using  a 
small  number  of  shared  variables. 

5.1  Cone  of  Influence  Reduction 

Suppose  we  are  given  a  set  of  variables  cr  that  we  are  interested  in  with  respect  to  the  process  P. 
We  can  simplify  the  process  P  using  the  cone  of  influence  reduction.  Assume  that  the  system  is 
specified  by  a  set  of  equations: 

<  =  MV). 

Define  the  cone  of  influence  C\  of  V{  for  each  variable  V{  as  the  minimal  set  of  variables  such  that 
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•  Vi  6  G, 

•  if  for  some  vi  E  C{  its  fi  depends  on  Vj,  then  vj  E  C*. 

( ‘niiMriift  a  new  (reduced)  process  P '  from  P  by  removing  all  the  equations  whose  left  hand  side 
'  ;iri:iN's  not  appear  in  any  of  the  Cf  s  for  V{  E  cr .  It  can  be  easily  shown  that  P  |=  <p  iff  P'  (=  ip, 
«  p  contains  only  variables  from  a. 

Aimiii.  consider  our  example  of  the  modulo  8  counter  (fig.  1).  Its  set  of  equations  is 

^0  =  -ivo 

v[  =  Vo  ©  V1 

v'2  ~  (v0  A  V\)  0^2 


<  j.  .,ri\  (  —  {^o},  since  /o  does  not  depend  on  any  variable  other  than  vq.  We  have  C\  — 

;  -  'I  Mitc<>  /  j  depends  on  both  of  the  variables,  but  v 2  C\  because  no  variable  in  C\  depends 
••n  '  \nd  (  2  is  the  set  of  all  the  variables. 

and  P2 
communicate 
using  these 
variables 

Wmiiii*-  two  processes  Pi  and  Po  communicate  using  a  set  of  variables  cr.  Then  Pi  can  only 
"b*»*  r\»-  1  In  behavior  of  P2  through  cr.  It  means  that  we  can  replace  P2  by  any  equivalent  process 
U  ulncl.  indistinguishable  from  Po  with  respect  to  cr  and  this  will  completely  preserve  the 
b*  lia\  ior  of  Pi.  The  idea  is  to  find  a  smaller  process  A 2  that  hides  all  events  irrelevant  to  cr. 


The  following  interface  rule  guarantees  the  correctness  of  the  abstraction  A 2  with  respect  to 
Pi.  Let  P\a  be  the  restriction  of  P  to  the  cone  of  influence  of  variables  in  cr,  and  £(cr)  be  the 
set  of  all  CTL  formulas  with  free  variables  from  cr.  The  interface  rule  states  that  if  the  following 
conditions  are  satisfied: 


•  P2U  = 

•  Pi\\A2  \=  <p, 

•  ip  is  a  CTL  formula  such  that  ip  E  £(<r), 

then  <p  is  also  true  in  Pi\\P2.  In  fact,  it  is  sufficient  for  ip  to  be  in  £(Epx)  for  this  rule  to  be  sound, 
where  E p1  is  the  set  of  variables  of  Pi. 

In  the  remainder  of  this  section  we  describe  how  this  strategy  can  be  made  precise  and  show 
how  it  can  be  used  to  reduce  the  state  explosion  problem  for  loosely  coupled  processes. 
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5.2  Soundness  of  the  interface  rule 

In  order  for  the  interface  rule  to  be  sound  we  need  to  specify  some  properties  that  the  process 
equivalence  has  to  satisfy.  For  a  process  P  let  Ep  be  the  set  of  atomic  propositions  (or  state 
variables)  in  P,  and  let  £(E)  be  the  language  of  temporal  formulas  over  the  alphabet  E.  For 
any  two  processes  Pi  and  P2  with  sets  of  variables  E p1  and  E p2,  the  following  axioms  have  to  be 
satisfied: 

1.  Pi  =  P2  implies  Mp  £  £(EpJ[Pi  |=  p  P2  |=  p] 

2.  If  Pi  =  P2  then  Pi | |Q  =  P2||Q  and  Q||Pi  -  Q||P2 

3.  (Pi||P2)|Spi  =  and  (Pi||P2)|Ep2  =  (Pi|Sps)||P2 

4.  If  p  £  £( E^)  and  E^  C  E p,  then  P  |=  p  iff  P |sv  |=  v? 

Theorem  1.  (Soundness)  The  Interface  Rule  is  sound . 

To  remind  the  reader,  the  interface  rule  states  that 

•  P2|sPl  =  A2, 

•  Pi\\A2  |=  <p, 

•  p  is  a  CTL  formula  such  that  p  £  £(EpJ, 

imply  P1HP2  \=  p.  Notice,  that  restricting  P2  to  Epx  produces  the  same  result  as  P2|a,  where 
cr  =  Epj  H  Ep2 . 

Proof.  Since  P2|Spi  =  A2,  then  by  2  Pt\\A2  =  Pi||(P2|Spj ).  By  3,  Pi||(P2|Spi)  ee 
(Pi||P2)|sPl ,  hence  we  also  have  Pi ||^42  =  (Pi||P2)|  sPl-  And  since  Pi\\A2  |=  p  and  tp  £  £(EpJ, 
by  1  we  derive  (Pi||P2)|sPl  |=  Pi  and  horn  4  we  immediately  get  Pi||P2  \=  p  as  required. 

5.3  Equivalence  of  Processes 

We  define  concrete  equivalence  relations  over  the  processes  that  fulfil  our  requirements  and  are  the 
most  suitable  in  our  framework.  We  use  bisimulation  equivalence  and  stuttering  equivalence  with 
synchronous  parallel  composition.  We  also  give  an  “efficient”  polynomial  algorithm  to  determine 
bisimulation  equivalence  between  processes  and  a  sketch  of  the  algorithm  for  stuttering  equivalence. 

Definition  1.  A  model  is  a  triple  M  —  (S,  TV,  £),  where  S  is  a  set  of  states,  N  C  S  x  S  is  a 
transition  relation  and  L  is  a  labeling  function  mapping  each  state  into  a  set  of  atomic  propositions 
that  are  true  in  that  state. 

5.3.1  Bisimulation  Equivalence. 

Consider  two  models  M  =  (S',  N ,  L)  and  M7  =  (S',  N* ,  L')  with  the  same  set  of  atomic  propositions. 

Definition  2.  A  binary  relation  E  C  S  x  S'  is  called  a  bisimulation  relation  if  for  any  s  £  S 
and  sl  £  S7,  E(s,sf)  implies  L(s)  =  L'(s')  and 

(i)  Vr  £  S.AT(s,  r)  ^  3 rf  £  S'  :  Nf(sf ,  r7)  A  P(r,  r7) 

(ii)  Vr7  £  S'.N'is',  rf)  ^  3r  £  S  :  AT(s,  r)  A  E(r,  r7). 
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Definition  3.  A  bisimulation  equivalence  is  the  maximum  bisimulation  relation  in  the  subset 
inclusion  preorder. 

Notice  that  the  definition  of  a  bisimulation  relation  can  be  viewed  as  a  fixpoint  equation. 
Hence,  the  bisimulation  equivalence  is  just  the  greatest  fixpoint  of  that  equation.  This  gives  rise 
to  a  simple  polynomial  algorithm  for  computing  the  bisimulation  equivalence  using  the  well  known 
iterative  procedure.  We  compute  a  (decreasing)  sequence  of  relations  Eq,  E\, . . .  until  this  sequence 
converges  to  a  fixpoint  at  the  n-th  step.  This  convergence  is  guaranteed  in  finite-state  case,  since 
the  subset  inclusion  preorder  is  well-founded  in  both  directions.  Choosing  an  appropriate  Eq 
guarantees  that  this  fixpoint  is  the  greatest  fixpoint,  therefore  En  is  the  required  bisimulation 
equivalence.  The  sequence  of  relations  is  defined  inductively  as  follows: 

1.  sE0s'  iff  L(s)  =  L'(s'), 

2.  sEn+is'  iff  L(s)  =  T'(s')  and 

♦  \/s1[N(s,si)  implies  3^  s[)  A  siEnSi\] 

•  Ms[[Nf(s' ,  s[)  implies  3si[N(s,  si)  A  s1Ensfi]] 

The  complexity  of  this  algorithm  is  0(m2),  where  m  in  the  sum  of  the  sizes  of  the  transition 
relations.  There  are  more  efficient  algorithms  for  computing  bisimulation  equivalence,  for  example 
the  Paige- Tarjan  algorithm  [24].  It’s  complexity  is  O(mlogn)  in  time  and  0(m  +  n)  in  space, 
where  n  is  the  sum  of  the  numbers  of  states  in  both  models,  and  m  in  the  sum  of  the  sizes  of  the 
transition  relations.  However,  it  is  unclear  if  this  algorithm  can  employ  BDDs  as  well. 

5.3.2  Stuttering  Equivalence. 

Unlike  bisimulation,  the  stuttering  equivalence  [4,  16]  is  usually  defined  over  the  computation  paths 
of  the  models.  Intuitively,  two  paths  7r  and  tt'  are  considered  stuttering  equivalent  if  they  can 
be  partitioned  into  finite  blocks  of  repeated,  or  stuttered  states,  and  corresponding  blocks  are 
equivalent  in  the  two  paths  relative  to  the  labeling  functions  L  and  V  of  the  models.  Thus,  we 
do  not  distinguish  between  two  executions  that  differ  only  in  the  number  of  idle  cycles  between 
transitions.  The  stuttering  equivalence  also  has  a  definition  in  terms  of  the  greatest  fixpoint. 

Definition  4.  A  binary  relation  E  C  S  x  S'  is  called  a  stuttering  relation  if  for  any  s  E  S  and 
s'  E  S' ,  s  E  s'  implies  L(s)  —  Z/(s')  and 

(z)  Mr.  N(s ,  r)  =^>  3s'0, . . . ,  s*n  (n  >0).  sf0  =  s'  and  r  E  s'n  and 
VO  <  i  <  n.  s'-+1)  and  s  E  sj; 

(ii)  Mrf .  Nf(sf ,  r')  =>  3so, . . . ,  sm  (m  >  0).  so  =  s  and  sm  E  r'  and 
VO  <  i  <  m.  N(si,Si+ 1)  and  E  s'. 

Definition  5.  A  stuttering  equivalence  is  the  maximum  stuttering  relation  in  the  subset  inclu¬ 
sion  preorder. 

Stuttering  equivalence  preserves  the  truth  of  CTL*  formulas  that  do  not  involve  the  next 
time  operator  X  [4].  As  in  the  case  of  bisimulation,  we  define  inductively  a  sequence  of  relations 
E0,E1}...  (that  also  converges  in  finite  state  case)  and  the  stuttering  equivalence  is  the  intersection 
of  all  the  Ei’s.  However,  instead  of  computing  the  direct  pre-image  at  each  iteration  as  we  did 
for  bisimulation,  we  compute  the  set  of  states  from  which  there  is  a  path  to  the  current  state 
along  which  the  current  labeling  L(s)  changes  exactly  once.  This  involves  computing  another  least 
fixpoint.  The  details  of  the  algorithm  are  described  in  [3].  A  more  efficient  algorithm  based  on  the 
Paige-Tarjan  algorithm  was  found  by  Groote  and  Vaandrager  [16]  that  runs  in  0(mn)  time.  It  is 
unknown,  however,  if  this  algorithm  can  use  BDDs  as  well. 
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Pa  Pe 


Figure  4:  A  CPU  controller. 

5.4  Interface  Processes  Example 

.!  *•  1 1 1 1 1 *!*  *  .sample,  we  consider  a  model  of  the  CPU  controller  [13]  (fig.  4).  The  model  comprises 
•  |>tr  ill*  I  processes  Pa  and  Pt  called  the  access  unit  and  the  execution  unit.  The  access  unit 
P  1  !  If  "  instructions  and  stores  them  in  an  instruction  queue  and  maintains  a  cache  of  the  top 
1  *■  l  In  CPU  stack  in  a  special  register.  The  execution  unit  Pe  pops  out  the  instructions 

tr  mi  ill*  qu*  1 1<-  and  interprets  them.  A  major  part  of  the  temporal  logic  specification  for  CPU’s 
■  -  'Mr  -11-  r  d<  fines  correct  behavior  for  the  access  unit  and  consists  of  formulas  on  the  set  of  signals 
v  l'»  I-  -*r»  inputs  or  outputs  of  the  unit.  These  signals  constitute  £ pa.  An  example  of  such  a 
I  •rimil.t  i-  t following 

AG  AF  fetch 

1  In-  f>  Timiln  is  a  liveness  property  which  states  that  instructions  are  fetched  from  the  access  unit 
t<-  tin  '‘wut ion  unit  infinitely  often.  Fetch  is  actually  a  propositional  formula  defined  in  terms  of 
r*  qu*  "t  and  acknowledge  signals  between  the  two  units. 

I  In  parallel  composition  of  the  access  unit  and  the  execution  unit  in  our  design  has  approxi¬ 
mately  I  100  reachable  states.  However,  by  restricting  the  outputs  of  the  execution  unit  to  those 
in  £/*, .  and  then  minimizing  it,  we  obtain  an  interface  process  Ape  such  that  Pa\\Ape  has  only  196 
r<  a«  |i able  states.  The  reason  for  this  reduction  is  that,  while  the  execution  unit  interprets  many 
difh  rent  instructions,  the  memory  accesses  of  these  instructions  fall  into  a  few  basic  patterns. 


6  Assume/ Guarantee  Reasoning 

Assume-guarantee  reasoning  is  a  semi-automatic  method  that  verifies  each  component  separately. 
Ideally,  compositional  reasoning  exploits  the  natural  decomposition  of  a  complex  system  into  sim¬ 
pler  components,  handling  one  component  at  a  time.  In  practice,  however,  when  a  component  is 
verified  it  may  be  necessary  to  assume  that  the  environment  behaves  in  a  certain  manner.  If  the 
other  components  in  the  system  guarantee  this  behavior,  then  we  can  conclude  that  the  verified 
properties  are  true  of  the  entire  system.  These  properties  can  be  used  to  deduce  additional  global 
properties  of  the  system. 

The  assume-guarantee  paradigm  [17,  21,  23,  25]  uses  this  method.  Typically,  a  formula  is  a 
triple  (g)M(f)  where  g  and  /  are  temporal  formulas  and  M  is  a  program.  The  formula  is  true 
if  whenever  M  is  part  of  a  system  satisfying  the  system  must  also  satisfy  /.  A  typical  proof 
shows  that  (g)M(f)  and  {true)M,(g)  hold  and  concludes  that  (true)M  ||  M'(f)  is  true.  This  proof 
strategy  can  also  be  expressed  as  an  inference  rule: 

(true)Mf{g)  (g)M(f) 

(true)M  ||  M'(f) 
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The  soundness  of  this  simple  assume-guarantee  rule  is  straightforward. 

In  order  to  automate  this  approach,  a  model  checker  must  be  able  to  check  that  a  property  is 
true  of  all  systems  which  can  be  built  using  a  given  component.  More  generally,  it  must  be  able 
to  restrict  to  a  given  class  of  environments  when  doing  this  check.  An  elegant  way  to  obtain  a 
system  with  this  property  is  to  provide  a  preorder  ■<  on  the  finite  state  models  that  captures  the 
notion  of  “more  behaviors”  and  to  use  a  logic  whose  semantics  is  consistent  with  the  preorder. 
The  order  relation  should  preserve  satisfaction  of  formulas  of  the  logic,  i.e.  if  a  formula  is  true 
for  a  model,  it  should  also  be  true  for  any  model  which  is  smaller  in  the  preorder.  Additionally, 
composition  should  preserve  the  preorder,  and  a  system  should  be  smaller  in  the  preorder  than  its 
individual  components.  Finally,  satisfaction  of  a  formula  should  correspond  to  being  smaller  than 
a  particular  model  (a  tableau  for  the  formula)  in  the  preorder. 

Following  Grumberg  and  Long  [17],  we  use  synchronous  process  composition ,  the  simulation 
preorder ,  and  the  temporal  logic  ACTL  (a  subset  of  CTL  without  existential  path  quantifiers). 
This  choice  is  motivated  by  the  expressiveness  of  ACTL  and  the  existence  of  a  very  efficient  model 
checking  algorithm  for  this  logic.  The  simulation  preorder  is  also  a  natural  choice,  since  it  is  simple 
and  intuitive  as  well  as  easily  automated.  We  employ  tableau  construction  methods  for  converting 
formulas  into  processes.  Informally,  a  tableau  for  a  formula  p  is  the  greatest  process  (in  the 
preorder)  such  that  A ^  (=  <p.  In  the  remainder  of  this  section  we  will  not  distinguish  formulas  and 
processes  and  will  write,  for  example,  M  -<p  to  mean  M  <  A^. 

It  can  be  easily  shown  that  our  choice  of  formalisms  meets  all  the  requirements  [17].  In  par¬ 
ticular,  for  all  M  and  Ml  we  have  M\\Mf  <  M,  and  if  Mf  ■<  A  then  M\\Mf  <  M\\A ,  because 
synchronous  composition  can  only  restrict  possible  behaviors.  Since  M  is  greater  than  any  system 
containing  M,  we  can  focus  on  proving  properties  of  M  in  isolation.  This  insures  that  the  same 
properties  hold  for  an  arbitrary  system  containing  M . 

Using  the  tableau  construction  we  can  verify  M  \=  <p  by  checking  the  relation  M  ■<  <p.  In 
practice,  however,  we  use  classical  model  checking  for  verifying  M  <p  for  a  single  component 
M  if  p  is  given  by  a  formula,  and  the  simulation  preorder  if  (p  is  an  automaton,  to  increase  the 
efficiency.  Assumptions  on  the  model  correspond  to  composition.  That  is,  a  model  M  has  the 
same  set  of  behaviors  under  assumptions  ip  as  the  model  M W'tp  without  any  assumptions.  Thus, 
our  triple  {p)M(pp)  corresponds  to  p\\M  -<  ip.  In  other  words,  discharging  assumptions  corresponds 
to  checking  the  preorder.  Finally,  the  rule  M  -<  M\\M  allows  multiple  levels  of  assume-guarantee 
reasoning. 

Earlier  we  mentioned  that  the  logic  must  preserve  the  preorder  relation.  Now  we  formalize  and 
state  the  properties  explicitly. 

1.  For  all  M,  Mf  and  p>  if  M  ■<  M'  and  M 1  |=  p,  then  M  |=  p  (removing  behaviors  cannot 
change  a  formula  from  true  to  false).  Since  M\\M/  ^  M,  it  is  enough  to  check  M  |=  <p  to 
know  that  any  system  containing  M  also  satisfies  p. 

2.  For  every  y>,  there  is  a  structure  such  that  M  |=  p  if  and  only  if  M  <T,p.  This  allows  us 
to  use  p  as  an  assumption  by  composing  M  with  . 

3.  Every  model  of  <p  is  also  a  model  of  -0  if  |=  ^ 

These  lemmas  are  proved  rigorously  in  [17]  for  synchronous  composition  of  processes,  the  simulation 
preorder  and  the  logic  ACTL. 

6.1  Implementation  of  Assume  Guarantee  Reasoning 

Suppose  we  want  to  show  that  M\\M'  \=  'ip.  That  is,  in  terms  of  triples,  we  need  to  prove 
(true)M\\Mf{ip).  We  verify  that  M  satisfies  some  property  d  by  model  checking.  Next,  using  d 
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as  an  assumption,  we  show  that  M1  satisfies  some  other  auxiliary  property  p.  Finally,  we  show 
that  M  satisfies  the  required  property  ip  under  the  assumption  <p.  Since  this  extends  to  any 
system  containing  M ,  we  are  done.  If  the  intermediate  formulas  (or  processes)  <p  and  $  are  much 
smaller  than  M  and  Mf  respectively,  then  all  the  transition  relations  that  must  he  constructed 
are  significantly  smaller  than  the  one  for  M\\M'.  This  strategy  for  proving  M\\M'  \=  ^  can  be 
summarized  in  the  following  assume-guarantee  rule: 

(true)M(d)  (ti)M'(p)  (<p)M(iP) 

(true)M\\M,{/ip) 

In  our  framework,  this  corresponds  to 

$|| Mf  X  (p  <p\\M  ■<  ip 

M\\Mf  <  xjj 

It  is  straightforward  to  show  that  this  rule  is  sound  by  using  the  properties  of  preorder  relation 
stated  earlier. 

Theorem  2.  The  assume-guarantee  rule  is  sound. 

Proof.  Since  M  ■<  $,  then  M\\Mf  -<  d\\Ml .  Since  $||M'  ■<  <p,  by  transitivity  M\\Mf  -<  (p. 
Composing  both  sides  with  M  we  get  Since  parallel  composition  is  commu¬ 

tative  and  associative,  we  can  group  the  left  hand  side  as  M\\M\\M '.  Then  using  M  <  M\\M 
and  composing  both  sides  with  M'  we  obtain  M\\M'  ^  <p\\ M.  Finally,  from  the  last  assumption 
<p\\M  ■<  ip  and  transitivity  we  draw  the  conclusion  of  the  rule  M\\M/  X  ip. 

So  far,  we  have  not  discussed  fairness.  Both  the  preorder  and  the  semantics  of  the  logic  should 
include  some  type  of  fairness.  This  is  essential  for  modeling  systems  (hardware  or  communication 
protocols)  at  the  appropriate  level  of  abstraction.  Moreover,  fairness  is  necessary  for  the  ACTL 
tableau  construction. 

Unfort unately,  no  efficient  technique  exists  to  check  or  compute  fair  preorder  between  models. 
In  [17],  Grumberg  and  Long  suggest  how  to  check  the  fair  preorder  only  for  a  few  trivial  cases. 
Kupferman  and  Vardi  showed  that  the  general  case  is  PSPACE-hard  to  compute  [22].  Henzinger, 
Kupferman,  and  Rajamani  [18]  have  proposed  a  new  type  of  fair  preorder  that  can  be  computed 
in  polynomial  time.  However,  it  is  not  clear  that  this  preorder  is  appropriate  for  compositional 
reasoning. 

6.1.1  Example:  The  Futurebus+  Protocol. 

David  Long  has  used  this  type  of  reasoning  to  verify  safety  and  liveness  properties  for  the  Fu- 
turebus+  standard  of  cache  coherence  protocol  [12,  19].  The  whole  design  is  divided  into  parallel 
components  that  represent  single  modules  like  cache,  memory,  bus,  etc.  This  example  requires 
several  levels  of  assumptions  and  guarantees. 

The  first  stage  of  the  verification  was  to  check  safety  properties,  since  they  can  be  verified  using 
only  forward  reachability  analysis  and  checking  at  each  iteration  that  the  current  set  of  reachable 
states  satisfies  the  property.  Once  a  violation  is  found,  the  search  is  terminated  immediately  and 
an  error  trace  is  generated.  The  ability  to  terminate  the  search  early  was  important  since  the  BDD 
representing  the  set  of  reached  states  tended  to  become  very  large  once  an  erroneous  transition 
had  occurred.  As  soon  as  all  of  the  basic  safety  properties  were  satisfied,  more  complex  formulas 
were  checked  in  the  state  space  restricted  to  the  set  of  reachable  states.  Such  a  restriction  also 
helped  greatly  in  keeping  the  BDD  from  blowing  up  in  size. 

Using  this  technique  he  found  specifications  that  were  satisfied  by  a  single  bus  configuration 
but  not  by  multiple  bus  configurations.  The  details  of  the  verification  can  be  found  in  [12]. 
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7  Conclusions 


We  describe  several  methods  of  dealing  with  the  state  explosion  problem,  which  arises  frequently 
due  to  parallel  composition  of  processes.  It  is  clear  that  compositional  reasoning  is  critical  in  formal 
verification.  Such  techniques  dramatically  reduce  the  complexity  of  model  checking  and  permit 
the  verification  of  significantly  larger  systems.  We  have  used  compositional  methods  extensively 
to  verify  large  complex  systems  such  as  the  Futurebus-b  [12]  and  the  PCI  bus  [10,  20]  protocols. 

This  paper  does  not  cover  all  of  compositional  proof  techniques.  There  are  a  number  of  other 
compositional  techniques  that  can  also  be  successfully  used.  For  example,  partial  model  checking 

[1]  encodes  one  of  the  processes  into  the  formula,  which  is  being  checked,  and  simplifies  the  re¬ 
sulting  formula.  Similar  method  is  described  in  [2].  Theorem  proving  techniques  are  also  used  to 
decompose  and  prove  (manually)  the  property  for  each  of  the  component  [15,  26]. 

In  general,  all  of  the  compositional  model  checking  techniques  have  their  limitations  and  much 
work  remains  to  be  done.  The  most  important  problem  is  the  trade-off  between  efficiency  and 
automation.  More  powerful  methods  that  can  handle  enormous  complexity  usually  require  an 
expert  user  and  significant  manual  effort.  These  techniques  usually  rely  on  a  powerful  theorem 
prover  under  human  guidance  or  careful  choice  of  model  checking  parameters.  On  the  other 
hand,  completely  automatic  techniques  frequently  cannot  handle  extremely  complex  systems.  The 
problem  with  automatic  techniques  is  that  they  rely  heavily  on  heuristics  which  may  or  may  not 
work  on  different  types  of  examples,  and  most  of  the  intellectual  work  still  has  to  be  done  by  the 
user. 
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